Adding notations to subkey binding signatures to limit their scope

Guilhem Moulin guilhem at fripost.org
Sun Nov 15 19:52:44 CET 2015 

Hi there,

The OpenPGP standard (RFC 4880) allows the owner of the private part of
the primary key to add a notation on a subkey binding signature.  With
GnuPG this can be achieved upon subkey creation with the following
command:

    gpg --cert-notation my at notation=xxx --edit-key $KEYID addkey save

In theory, such subkeys with notations could be used by the owner to
limit their scope.  For instance, after an IRC discussion with dkg and a
private chat with Werner, the following use cases came to mind:

  - Two encryption subkeys, one stored on laptops and other devices for
    every day use, and another stored offline for extra secure
    communications.

  - Three signing subkeys, one stored on the development platform for
    signing Git commits, one for everyday use (eg used to sign emails),
    and the last one stored offline to sign packages and release
    tarballs.

In fact such isolation is already possible using multiple primary keys
instead of multiple subkeys.  However the master+subkey model has the
advantage of enabling subkey rotation, and avoids duplicating
trust-paths in the WoT.

Unfortunately these use cases can be hard to achieve without standard
notations.  However in the context of a keyring managed centrally by a
single entity, such as the Debian project, the standard can also be
managed by said entity.  For instance as a Debian maintainer, I would
create a signing subkey (dedicated to package signing) with the
Debian-specific notation and keep it securely.  Any uploaded package
signed with my other signing subkey (for everyday use hence easier to
compromise) would be automatically rejected.

In fact from a technical point of view, the only thing missing is an
option for gpg(1) and gpgv(1) to consider a data signature valid *only*
if the signing (sub)key had the specified notation.  For instance

    gpg --assert-notation my at notation=xxx --verify /path/to/data.sig /path/to/data

Of course, the feature might not be suitable for everyone, so for
backward compatibility, ideally gpg(1) and gpgv(1) should also have a
flag --assert-notation-fallback to also consider a data signature valid
if *none* of the signing (sub)key had the specified notation.

Or perhaps someone here would have a better suggestion to limit the
scope of subkeys?

Cheers,
-- 
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: </pipermail/attachments/20151115/1d5bd7a1/attachment.sig>

More information about the Gnupg-devel mailing list